...
| Code Block | ||
|---|---|---|
| ||
struct stat lstat_info;
int fd;
if (lstat("some_file", &lstat_info) == -1) {
/* handle error */
}
if (!S_ISLNK(lstat_info.st_mode)) {
if ((fd = open("some_file", O_RDWR)) == -1) {
/* handle error */
}
}
write(fd, userbuf, userlen);
|
Unfortunately, this code is vulnerable to a TOCTOU race condition. An attacker merely has to create the malicious linked can exploit this vulnerability by creating a link named "some_file" to an arbitrary file after the lstat() function but before the open() function.
...